From: Jerry Shenk (jshenk@decommunications.com)
Date: Mon Jan 12 2004 - 20:30:34 EST
I thought that I had one exported an rfmon capture file to a text file
with tethereal and then used text2pcap to put those files back into a
tcpdump-readable file but I can't seem to get it to work. No matter
what I try, when I use tcpdump to read the file, I get an error like
"unknown data link type 105", " libnet_write_link_layer: Message too
long" or something ends up being wrong with the header so that IP info
isn't extracted by tcpdump. If I use text2pcap with a "-i 6" switch,
then it seems like the header gets written about half and it seems to be
pretty close but I never quite get what I'm looking for. My "best shot"
so far is using tethereal to read a Kismet dump file and extract only
the data packets, dump that out to a text file, convert that text file
to a dump file with text2pcap like this:
tethereal -r Kismet-Sep-02-2003-1.dump -w
Kismet-Sep-02-2003-1-ip_only.dump wlan.fc.type_subtype==32
tethereal -xr Kismet-Sep-02-2003-1-ip_only.dump >
Kismet-Sep-02-2003-1-ip_only.text
text2pcap -i 6 Kismet-Sep-02-2003-1-ip_only.text
Kismet-Sep-02-2003-1-ip_only_text.dump
After that, tcpdump shows almost all the packets with some kind of an
error, many 'bad option' or 'bad hdr length'.
tcpdump -r Kismet-Sep-02-2003-1-ip_only_text.dump
Tcpreplay complains about the packet structure "tcpreplay:
libnet_write_link_layer: Message too long"
tcpreplay -r 1 -i eth0 Kismet-Sep-02-2003-1-ip_only_text.dump
Tethereal has the packets looking ok....kindof, most of them are
"[Malformed Packet: TCP]". Oh well, I've fooled with this long
enough...I'll just put it on the back burner...maybe someday the light
will go on;)
-----Original Message-----
From: James Golovich [mailto:james@wwnet.net]
Sent: Monday, January 12, 2004 1:06 PM
To: pen-test@securityfocus.com
Subject: Re: Converting raw 802.11 (rfmon) capture file to standard
libpcap
On Sun, 11 Jan 2004, Jerry Shenk wrote:
> Does anybody know of a way to convert an rfmon capture file (raw
802.11)
> to standard libpcap? The goal is to use 'normal' data stream analysis
> tools to analyze a previously captured data file. One specific goal
> would be to use tcpreplay to play back an rfmon capture file over an
> Ethernet interface. It would seem that tehtereal would be able to do
> this but I haven't figured it out yet.
>
ethereal/tethereal comes with a tool that can do this called editcap.
It's been a while since I've used it but I kind of remember using it
like:
editcap -T ieee-802-11 infile outfile
or
editcap -T ieee-802-11-radio infile outfile
depending on what format the capture type is
James
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT